Feature transformation and Mutual Information for DNS tunneling analysis

Tunneling attacks are executed to bypass security policies or leak sensitive data outside of a network. In this paper, we propose an innovative algorithm to profile DNS tunnels. Our approach combines Principal Component Analysis and Mutual Information. The proposed algorithm is validated on a live network. Results show that, under specific conditions, anomalies are correctly characterized through the proposed method. Other cases require instead further investigation.